跳转至

CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection

Ch01.504 CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection

📊 Level ⭐⭐ | 7.0KB | entities/cheriot-ibex-memory-safety-hardware-enforcement.md

深度分析

CHERIoT-Ibex 是微软于 2023 年开源的 CHERIoT 平台的核心实现,首次将 CHERI(Capability Hardware Enhanced RISC Instructions)能力模型落地为生产级开源硬件。 CHERI 架构通过能力指针(Capability) 取代传统 flat pointer,从硬件层面强制约束每个内存区域的访问权限——包括空间边界(spatial)和有效期(temporal),从根源上堵死 buffer overflow 和 use-after-free 两类最高发漏洞。 CHERIoT 在 CHERI 基础上专为嵌入式 / IoT 场景做了轻量化适配,底层选用 LowRISC 的 32 位 RISC-V 核心 Ibex。CHERIoT-Ibex 通过 CHERI Alliance 认证,验证其提供空间安全 + 时间安全 + 细粒度隔离三重保障,且硅成本与低功耗微控制器相当——打破了"安全必付溢价"的传统假设。 微软数据显示其每年 CVE 中约 70% 源于内存安全漏洞(CISA 报告亦指出软件产品内存安全问题的紧迫性),CHERIoT-Ibex 的定位正是从硬件层消除这类缺陷的根因。

实践启示

适用场景:对安全有强制要求的嵌入式微控制器、IoT 端点、Azure 底层基础设施固件。 集成路径:微软已开源完整 ISA + 工具链 + RTOS + RTL,开发者可通过 microsoft/cheriot-ibex 获取并参与生态。 架构决策:CHERIoT-Ibex 体现 silicons-to-systems 战略——安全不从软件层打补丁,而是下沉至硬件基础设施,从设计之初即嵌入纵深防御。

"CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection"

URL Source: https://techcommunity.microsoft.com/blog/azureinfrastructureblog/cheriot-ibex-closing-the-door-on-memory-safety-vulnerabilities-with-hardware-enf/4517904 Published Time: 5/9/2026, 5:08:11 AM Markdown Content:

CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection | Microsoft Community Hub

Open Side Menu Skip to contentImage 1: Brand Logo Tech CommunityCommunity Hubs Products Topics BlogsEvents Skills Hub Community RegisterSign In 1. Microsoft Community Hub 3. CommunitiesProducts 5. Azure 7. Azure Infrastructure Blog Report

Azure Infrastructure Blog

Blog Post

Azure Infrastructure Blog 3 MIN READ

CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection

Image 2: kunyanliu's avatar kunyanliu Image 3: Icon for Microsoft rankMicrosoft May 08, 2026 Memory safety vulner

相关实体